Vibe Smartphones Receive Patch against Root Exploit; 20 Models Remain Without Fix
Lenovo Vibe smartphones have received a patch against three vulnerabilities that would allow attackers to elevate their privileges to the highest level (root) on affected devices. The security flaws affect a component available on the phone and two applications provided by Lenovo, the Idea Friend contact manager and the Lenovo Security app for Android.
None of the glitches can be exploited in conjunction with at least one of the others, and the attacker needs physical access to the device; these conditions lower the risk and set the severity level to medium. Nevertheless, a hacker could take complete control of an unlocked, unpatched Lenovo Vibe nd “modify the device’s operation and functionality in myriad ways,” the Lenovo security advisory says.
Rooting Android gadgets has its benefits, but it also weakens security. It is useful for those who want to eliminate restrictions by the manufacturer to fully control the tablet or smartphone and decide the access level an app has to sensitive areas on the device; but, without proper regulations, this also allows apps to roam free and read files from other apps or the system.
The glitches in Vibe phones are tracked as CVE-2017-3748, CVE-2017-3749, CVE-2017-3750. Leveraging them consists of repackaging local backups from Idea Friend and the Security app so that they include a malicious component. The payload is then executed in the context of the backup restoration process, which happens with elevated privileges.
Lenovo says only products not updated to version 6 of the Android operating system (Marshmallow) are impacted by the three vulnerabilities. This includes 20 models that are defenseless because Lenovo does not provide a patch for them. However, users can take some measures to make a hacker’s task more difficult.
First, they can prevent access to the phone’s screen by setting a PIN or a password. They can also disable Android Developer Options on the device, or, if this feature is necessary, at least turn off ADB (Android Debug Bridge) when it is not used.
Image credit: Cheon Fong LiewLenovo Vibe privilege escalation root vulnerability